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Abstract 

A first order inference system, named R-calculus, is defined to develop the specifi- 
cations. This system intends to eliminate the laws which is not consistent with user's 
requirements. The R-calculus consists of the structural rules, an axiom, a cut rule, and 
the rules for logical connectives. Some examples are given to demonstrate the usage of the 
R-calculus. Furthermore, the properties regarding reachability and completeness of the 
R-calculus are formally defined and proved. 
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1 Motivation 

During the development of the specifications, two situations are encountered commonly: 
First, the specification is not consistent; as a result, a program to satisfy it does not 
exist. Second, the specification is consistent, but users and designers refuse to accept 
it since the running results of the generated program does not meet their requirements. 
Under both circumstances, the specification should be redesigned. If it was indeed the 
case, the elimination of inconsistent laws and the introduction of new laws become very 
important; this paper will address this concerns principally. For example, consider the 
following specification: 

T = {A, A d B,B D C,E D F} 

where A, B, C, E, and E denote some equations. It is obviously that r h C holds. Users, 
however, reject C and prefer -iC. In this case, we have to redesign the specification. 

The purpose of this paper, therefore, concerns principally to build an inference system, 
named R-calculus to revise the specifications. The nature of R-calculus differentiates it 
from many well known inference systems of specifications. The purpose of the latter aims 
to deduce the correct programs to satisfy a given specification[10,ll,12,13]. However, R- 
calculus emphasizes on revising the specifications, and eliminating the laws which are not 
consistent with user's requirements. 

The R-calculus is indeed a transition system which consists of the structural rules, 
an axiom, an cut rule, and the rules of logical connectives. Some examples are given to 
demonstrate how the R-calculus can be used to develop specifications. Furthermore, the 
properties of the R-calculus, such as reachability and completeness, are formally defined 
and proved. 



2 The Necessary Premise 



In order to avoid the syntactical details, in this paper, the first order languages are chosen 
to be the specification languages [1]. Briefly, a first order language C has two sets of 
symbol strings. They are the set of terms and the set of formulas. The set of terms is 
defined on the set of variable symbols V ranged over by x,y,z---, the set of function 
symbols F ranged over by f,g,h---, and the set of constants symbols C ranged over by 
a, b, c ■ ■ •, and it is defined inductively as below: 

t ::= c | x | f(h,t 2 ,---,t n ) 

The set of formulas are defined on the set of predicates P ranged over by P, Q, R, ■ ■ •, and 
the set of logical connectives including: A, V, D, V, 3, and it is defined inductively as 
the following, 

A ::= P{t 1 ,t 2 , •••,£„) | ->A \AaB\AvB\AdB \\fx.A \ 3x.A 

In this paper, T is used to denote a formal theory, which is a finite set of formulas. 
Th(T) denotes the set of all logical consequences of T. T h A is called a sequent, where A 
is a logical consequence of T [1,2], h is the deductive relation. A Gentzen style inference 
system, such as G system [1] is employed for the logical analysis of the specifications. 
Each inference rule of LK is described by a fraction of number of sequents. A proof tree 
T of the sequent r h A is a finite tree structure, where every node of T is a sequent, the 
node and its direct sons forms an application of an inference rule of the G system, the 
root of T is T h A, and every leaf of T is an axiom. 

Definition 2.1 Necessary premise 

Let r h A, and T be its proof tree. Let P, Q, and R be formulas in T. P is premise 
of Q, if and only if the following items hold: 

1. If T', P h P is a leaf of T, then the P on the left hand side of h is the premise of the 
P on the right hand. 

2. If the node of T is an application of a right rule, Q is one of Af\B, A\J B,A D B, ->A, 
Vx.A, and 3x.A, which is a principal formula [1] in the denominator of the inference 
rules, and P is one of A,B,A[t/x], and A[y/x], which is a side formula [1] in the 
numerator of the corresponding inference rule,then P is the premise of Q. 

3. If the node of T is an application of a left rule, and Q' is one of A A B, A V B,A D B, 
-i A, and 3x.A, which is a principal formula in the denominator of the inference 
rules, then Q' is the premise of A,B, A[t/x], and A[y/x], which is a side formula 
in the numerator of the corresponding inference rule. Every one of A,B, A[t/x], 
and A[y/x] is necessary premise of the formula on the right hand side of h in the 
denominator. 

4. If P is Q's premise, and Q is i?'s necessary, then P is ii's necessary premise. 



Let P^r, A) be the set of premise of A in the proof tree T. If P G T holds and P is 
the premise of A in T, precisely, P £ T n V^(T, A), P is the necessary premise of A in T, 
which can be written as P i— >rj, A. Box 



According to definition 2.1, for any given T h A, the necessary premise of A depends 
on the proof tree T. However, whenever r h A holds, its proof tree exists. Thus, for the 
reason to simplify the writings, sometimes the tree T is omitted from i— > and the related 
notation will be written as P i— ► A when there does not exist confusion in the context. 

Example 2.1 A- right rule: 

rh a rhB 

Th AAB 

A and B are the necessary premise of A A B. 
Example 2.2 

Consider the sequent: C, A, \/x(A D B(x)) h 3xB(x). Its proof tree is the following: 

C, A* 4 , (Vx(A D B{x)))* 2 , {A D B[t/x})* 2 h A* 3 C, A, (V.x(A p B(x)))* 2 , (B[t/x})* 3 h Bjt/x}* 1 

C, A, (\fx(A 5 B(x)))* 2 , (A 5 B[t/x})* 2 h Bjt/x}* 1 
C, A, (\fx(A 5 .Bpr)))* 2 F ^[t/x]* 1 
C,A,Vx{A D B{x)) h 3xB(x) 

The first node is an application of the 3-right rule. B[t/x] is premise of 3xB(x). We use 
superscript * to denote the premise, and use number 1 to denote the first node. The second 
node is an application of the V-left rule. According to definition 2.1, (Vx(A D B{x)))* 2 on 
the left hand of h in the denominator of the node 2 is the premise of (A D B[t/x])* 2 on 
the left hand of h in the numerator, and (A D B[t/x])* 2 is also the premise of B[t/x\* 1 . 
The third node of the proof three is an application of D-left rule. According to definition 
2.1, (A D B[t/x])* 2 is the premise of A* 3 on the right hand of h of the first sequent in the 
numerator, and is also the premise of B[t/x]* 3 on the left hand of h of the second t in the 
numerator. A* 3 and B[t/x}* 3 are the premise of B\t/x\* 1 on the right hand of h in the 
denominator of the node 3. The forth node is an application of the axiom. A* 4 on the left 
hand of h is the premise of A* 3 on the right hand. The fifth node is also an application of 
the axiom. B[t/x]* 3 on the left hand of h is the premise of B^/x}* 1 on the right. Thus, 
the set of numbers of the premise of the proof three is 

{B[t/x],Vx(A D B(x)),Ad B[t/x],A} 

According to the definition 2.1, the necessary premise of 3x.B(x) of the sequent C, A, \/x(A D 
B(x)) h 3x.B(x) is: 

{A,Vx{A D B(x))} 

□ 

Lemma 2.1 Let r h A and T be its proof tree. The set V(T,A) is decidable. 

Proof. According the definition of the necessary premise, an algorithm can be designed 
in the following way: Its input is the proof tree, and its output is the set V(T,A). The 
algorithm computes the premise from the root of T to the leaves of T as shown in the 
above example2.2. Since the proof tree T is finite, the algorithm will be halt. □ 
In this paper, the finite formal theories of C are used to describe the specifications. 



Definition 2.2 Specification 

A finite consistent set T of the sentences is called a specification. The sentences con- 
tained in r are called the laws of the specification. 

We assume that two sentences P and Q are the same sentence if and only if P = Q 
(that is (PdQ)A(Qd P) is a tautology). 

A model M is a pair < M,I >, where M is a non empty set and it is called domain, 
/ is a map and it is called interpretation. The form M |= A means that for the given 
domain M and the interpretation /, A is true in M. M |= T mean that for every A G T, 
M\=A. 

Definition 2.3 A is called a logical consequence of T and is written as T \= A, if and 
only if for every M, if M \=T, then M |= A holds. 

3 The User's rejections 

As we mentioned before, the users reject a specification when they have found its counter 
example. In the first order logic, the user's rejection can be defined by the models. 

Definition 3.1 User's rejection 

Let r |= A. A model M is called a user's rejection of A if and only if M |= ->A. Let 

T M (A) = {Ai \Ai€T, M |= Ai, M \= -.A} 

M is called an ideal user's rejection of A if and only if is maximal in the sense 

that there does not exist another user's rejection M' of A, such that T M i A \ C ^m'(A)- 

The above definition describe the following situation that r h A, but the users or 
designers have found a counter example M that makes ->A true. T M r A -\ is a subset of F 
which does not contradict to —>A. The user's rejection meets the intuition that whether a 
specification is accepted, depends only on whether its logical consequences agree with user's 
requirements. The ideal user's rejection meets the Occam's razor, which says: Entities 
are not to be multiplied beyond necessity^]. Here, it means that if a logical consequence 
deduced from a specification is rejected by the users, then the maximal subsets of the 
specification which is consistent with the user's rejection must be retained and are assumed 
to be true in the current stage of the development of the specification, but the rest of laws 
contained in the specification must be removed because they lead to the user's rejection. 

In the rest of the paper, we consider ideal user's rejections only, and simply call them 
user's rejections. Sometimes, we even say that —>A is a user's rejection of V, it means that 
r h A and there is an ideal user's rejection M and M |= —>A. 

Definition 3.2 (Maximal contraction). 

Let r h A and AcT. A is called a maximal contraction of T by ->A if it is a maximal 
subset of T and is consistent with -<A. 

Example 3.1 

Let T = {A, A D B, B D C, E D F}. It can be proved that r h C holds. Let ->C be a 
user's rejection. It cab be verified that there are three maximal contractions: 



{A, A d B, E d F}, {A,BdC,Ed F}, {A D B,B D C,E D F}. 



Lemma 3.1 

If r h A and A is a maximal contraction of T by —>A, then there exists a user's rejection 
M of T by A and M \= ^A holds. 

Proof: The proof is directly from the definition. 

4 The R-calculus 

The purpose of this section is to build an inference system about logical connectives to 
remove the laws which is not consistent with a given user's rejection. It is called R-calculus. 
For a given T \- A, the R-calculus is used to derive all maximal contractions of T by ->A. 
In fact, if T is not consistent, 

the R-calculus is still employed to derive all maximal subsets of T that is consistent 
with ->A. 

In order to define the calculus, for a formal theory T, a concept called R-condition of 
r is to be introduced. The R-condition is a kind of mirror reflection of the concept of 
T-condition used in the forcing theory [8] . 

Definition 4.1 R-condition of F 

Let r be a specification and A be a finite consistent set of atomic formulas and the 
negations of atomic formulas. A is called an R-condition of I, if and only if for every 

A e A,r \ — A holds. 

Lemma 4.1 

Let r be a specification and A be a R-condition of T. If A G A, then A is a user's 
rejection ofT. 

Proof. The proof is directly from the definition. 
Definition 4.2 R-configuration 

A|r 

is called a R-configuration, if and only if V is a specification and A is a R-condition of T. 
The R-configuration A|T is read as A overrides V. 

A and V can be written as sequences, such as A, B, A± and A, B, V, etc. Let Delta be 
A±, A2, ■ ■ ■ , A n . According to the above definitions, the R-configuration A|T implies that 
T I — Ai A -1A2, • • • , /\A n holds. Let its proof tree be denoted by T. 

Definition 4.3 R-transition 

a 1 r a' 1 r' 

is called a R-transition. It means that the configuration A | T is transformed to A' | V. 

denotes a sequence of the transitions. * denotes finite times of transitions but 
also infinite times and times of transitions. The following R-transition 

A\A,F A 1 r 

means that A | T, A is transformed to A | T, and A is deleted during the transition. 



R-calculus contains four kinds of transformation rules. They are structural rules, the 
R-axiom, the R-cut rule and the rules of logical connectives. As mentioned before, for the 
writing simplicity, the proof tree is omitted from i— > and =>. 

Structural rules 

Definition 4.4 

Contraction 

A | A, A,F =^> A | A,T A,A,A\T => A,A\T 

Exchange 

A | A,B,T A | B,A,T A,B, A | r => B,A, A \ T 

The contraction rules mean that the same formulas occurring on one side can be 
contracted to one. The exchange rules say that a formula can be moved from one position 
to another within one side of a configuration. 

Definition 4.5 R-axiom 

A A | ->A,T => A, A | T 

The R-axiom means that if A (the atomic formula or the negation of atomic formula) 
occurs on the left hand side and its negation ->A occurs on the right hand side, then ->A 
must be deleted. 

Definition 4.6 R-cut rule 

T u AhB A^B B,r 2 hC A|c,r 2 ^A|r 2 
a | ri,yi,r 2 ==> a I ri,r 2 

Where r = T±,A, r 2 and A = —>C, A'. The R-cut means that C is an atomic formula 
or the negation of an atomic formula, and C is not consistent with A. Furthermore, B is 
a lemma used in the proof of C, A is contained in T and is the necessary premise of B. In 
this circumstance, A must be eliminated. 

Logical rules 
Definition 4.7 R-A rule 

a | A, r a I r A|s,r^A|r 

A | A A5,r A I r A\A/\B,T A | f 

A occurring in the numerator of the R-A rule means that A I A holds. According 

to the A rule of G system, A I A V ->B holds. That is A I <(A A B) holds. Therefore, 

if A is deleted, then A A B must be deleted. Similarly, for the rule on the right, if B is 
deleted, then A A B must be deleted. 



Definition 4.8 R-V rule 



a\ a,t ==> A | r A|s,r^A|r 
a I a v b,t a [ r 

Since A and B occurring in the numerator of R-V rule are going to be deleted, A I — A 

and A I B hold. According to the V rule of the G system, A I A A ->B holds. The 

later implies A I — <(A V B). Therefore, Ay B must be deleted. 

Definition 4.9 RO rule 

a | -,a, r => a | r a I b, r =► r 



A|iD5,r a I r 

The R-D rule holds since (A D B) = (-<A V B). 
Definition 4.10 R-V rule 

A I A\t/x\S => A I T 



a | VxA, r => a | r 

where t is a term and is free in A for x . 



Since occurring in the numerator of the R-V rule is to be deleted, A I — A[t/x] 

holds. It implies A I Vx^4[x]. Thus, Vx^4[x] must be deleted. R-V means that if ^4[t/x] 

is not consistent with A, then \/xA{x) can not be consistent with A. 

Definition 4.11 R-3 rule 

A | A[y/x\,T=> A | r 
A | 3xA,T A | T 

y is an eigenvariable and it does not occur in the denominator of the rule. 

If A[y/x] is to be deleted in the numerator of the R-3 rule, then A I A[y/x]. Ac- 
cording to the 3 rule of the G system, A I *3xA(x) holds. Therefore, 3xA(x) must be 

deleted. This rule means that for any eigenvariable y, if A[y/x] is not consistent with A, 
then 3xA(x) is not consistent with A. 

Definition 4.12 R--> rule 

A | A,T A | A',T 



A and A' are defined as below: 



A 


-.(5 A C) 


-<(B V C) 


->->B 


^{B D C) 


-Vx.B 


^3x.B 


A' 


^BV^C 


A--C 


B 


B A^C 


3x.^B 


Vs.-i-B 



R--i rule is an expansion rule. —>A occurring on the left of the long right arrow is 
substituted by its equivalent A', and the "-i" goes to the next level. 



Definition 4.13 R-calculus 

R-calculus is the set which consists of the structural rules, the R-axioms, the R-cut 
rule, the R-A rule, the R-V rule, the R-D rule, the R-V rule, the R-3 rule, and the R--> 
rule. 

An R-configuration A | V is called an R-termination if there does not exist an R-rule 
that can be applied to A | T with the exception of the structural rules. 

In summary, every R-configuration A|T consists two parts: the left part A is a finite 
consistent set of atomic formulas and the negations of atomic formulas, the right part T 
is a finite set of sentences which may not be consistent. For every A E A, A is a user's 
rejection of T. The R-calculus is an inference system. It can be used to eliminate those 
laws which are not consistent with 

A. The principles of eliminating are as below: The law A of T (on the right hand side 
of |) is to be eliminate if its negation ^A occurs in A (on the left hand side of |). If A of T 
is a compound sentence, then whether A is to be eliminated depends on the eliminations 
of the components of A and the meaning of the logical connective occurring in A. The 
rule for a logical connective of R-calculus is a mirror reflection of the rule for the same 
logical connective of the first order inference system. 

5 Some Examples 

The following three examples are given to show how the R-calculus can be used to delete 
the laws of T which is not consistent with its user's rejection. 

Example 5.1 

Let T = {Vx.A(x), r'} and A = {-^[c]} holds. The latter means that we must accept 
-iA[c], where c is a constant. According to the R-axiom, 

^A[c] | A[c],T' ^A[c] | T' 

holds. By the R-V rule, 

-A\c\ | A[c],T' => ^A[c] | r 
^A[c] | VxA{x),F -.A[c] | F 

holds. Thus, it is proved by the R-calculus that \fxA{x) is not consistent with -iA[c]. and 
it should be eliminated from T. □ 

The following example demonstrates how to use the R-cut rule. 

Example 5.2 Consider the example given in the beginning of the paper. Let 

r = {A, A D B,B D C,E D F} 

r h C holds. Suppose ->C is a user's rejection. According to the definition, there exists 
three maximal contraction of T by —>C: 



{A, Ad b,e d f}, {a,b d c,e d f} {Ad b,b d c,e d f}. 



In fact, each one of the above three can be derived by the R-calculus. Consider 
{A, A D B,E d F} first. Let 

ri = {A,AD B} T 2 = {EDF}. 

By the G system, both 

T!,BdC\-C and C,T 2 hC 

hold. According to the definition 2.1, B D C is the necessary premise of C and B D C i— > C 
holds. 

-■C | C, r 2 =>■ -iC | r 2 
holds by the R-axiom. the R-cut rule is then applied and 

-c | ri,B=> c,r 2 =>-.c | ri,r 2 

hold. Here Ti, T 2 is just {A, A D B, E D F}. 

Consider the second maximal contraction {A,B D C,E D F}. Let 

r! = {^} t 2 = {bdC,edf}. 

By the G system, 

T!,AdB h B and B,T 2 HC hold. 

Notice that A D B is the premise of B and is in T. Thus, A ZD B B holds. According 
to the R-axiom, 

| c, r 2 => | r 2 

holds. Thus, the R-cut rule is applied and 

-.c|ri,ADB,r 2 =>-.C7|ri,r2 

holds. Here Ti,r 2 is {A,B D C,E D F}. Finally, Let 

r x = r 2 = {A D B, B D C, E D F}. 

Using the similar proof strategy, the third maximal contraction {A D B, B D C, E D 
F} can derived by the R-calculus. □ 

In the above two examples, T is a finite consistent set of laws. The following example 
shows that if T is not consistent, the R-calculus still works to deduce all of maximal subset 
of T which is consistent with A. : 

Example 5.3 

Let A = {x = x} and T = {f(x) = y, f(y) = z, -(/(/(x)) = z)}. Obviously, T is 
not consistent. But the R-cut rule can be applied to deduce the maximal subsets which is 
consistent with A. For example, let Ti = {f(x) = y}, T 2 = {~>(f(f(x)) = z)}. First, 



r 1; (f(y) = z)h f(f(x)) = z and (f(f(x)) = z), T 2 h -n(x = x) 



holds. It is proved that (f(y) = z) is the necessary premise of f(f(x)) = z. According to 
the R- axiom, 

(x = x) |-i(x = x) => (x = x)|0 
holds. Therefore, by the R-cut rule, 

(x = x)\ {/(*) = y, f(y) = z, -(/(/(*)) = z)} (x = x)\ {f(x) = y, -(/(/(*)) = z)} 

holds. It can be verified that {/(x) = y, _, (/(/(x)) = z)} is a maximal subset of T and is 
consistent with x = x. □ 

6 The Reachability and Completeness 

/,From the examples given in the last section, we have found that for the given T and A, 
every maximal contraction of V by A can be deduced by the R-calculus. This fact is called 
the reachability of the R-calculus. 

Definition 6.1 R-reachabilty 

Let A | T be any given R-configuration, T be a specification, and A be an R-condition 
of r. The R-calculus is reachable, if and only if for any given maximal contraction V of 
T by A, there exists an R-transition sequence such that 

a | r a I r' 

holds, where A | V is an R-termination. 
Lemma 6.1 

Let A | T be a given R-configuration, T be a specification, and A be an R-condition of 
T. If T\ is a maximal contraction of T by A, then there exists a sequence of R-transitions, 
such that 

A | T =^>* A I Ti 

holds. 

Proof. Consider the simple case that A contains only one element, A = {-A}, and A is 
an atomic formula or the negation of atomic formula, r h A holds. Let Ti be a maximal 
contraction of T by —>A, and let T2 = T — T±. 

The aim is to prove that for any B € T2, B will be eliminated by the R-calculus. To 
do so, let T 3 = T 2 - {B}. Thus, T = r 3 ,S,ri. First, T 3 ,Bh B holds. Second, B on the 
left of h is the necessary premise of B on the right of K Since T\ is a maximal contraction 
of T by ^4, Y U B h A holds. 

-nA I => ->A I Ti 
is an application of the R-axiom. By the R-cut rule, 

r 3l BhB BhB r u B\-A -.A I A, Ti => -.A I Ti 

-nA|r 3>J B,ri=^-A |r 3 ,ri 



Thus, B is eliminated. Therefore, every law of T2 should be eliminated by the R- 
calculus. □ 
The converse of the lemma is not true. For every sequence of R-transitions: 



a 1 r =>* a' 1 r' 

where A' | F' is an R-termination, F' may not be a maximal contraction of T by A. 
Consider the following example: 

Example 6.1 Let 

T = {A,AD B,B D C,AD E,E D C} 

F h C holds. Suppose that C is rejected by the users. Using the R-cut rule, We can 
eliminate A D B. And then, since 

A,AdE,EdC\-C 
we apply the R-cut rule again and eliminate A. Thus, we have: 

{B D C,A D E,E D C}. 
The above set is not a maximal contraction of F by —>C. The maximal contraction is 

{A D B, B D C, A D E, E D C}. 

□ 

Lemma 6.2 

Let A I r be an R-configuration, A be an atomic formula or the negation of an atomic 
formula. If F is consistent with A, then A\F is an R-terminated configuration. 

Proof: Since F is finite, F can be written as Ai A • • • A A n . Let r(F) be the rank of F [1]. 
The proof is given by induction on r{A\ A • • • A A n ) as below: 

If r(F) = 1, T is an atomic formula. It can not be eliminated since it is consistent with 

A. By the definition, A\F is R-termination. 

Suppose that the lemma holds for r(F) < k. Consider the case of r(F) = k. Let F be 

B, F', where r(F') < k, and F' is consistent with A. B can be one of the following cases: 

1. B is an atomic formula. B can not be ->A since F is consistent with A. Therefore, 
A\F is an R-termination. 

2. B is B\ Vi?2- According to the R—V rule, B is eliminated if and only if B\ in -A|i?i, F' 
is to be eliminated, and B2 in A\B2, F' is also to be eliminated. Since B\, F' with A, 
and r(Bi,F') < k holds. According to the inductive hypothesis, B\ in A\B\,F' can 
not be eliminated. Similarly, B2 in A\B2,F' is also not eliminated. Therefore, A\F 
is an R-termination. 

3. Similarly, we can prove the cases that B is B\ A B2 and B is B\ D B2. 



4. B is \/xB\. According to the R — V rule, B\ is eliminated if and only if B\\t/x] 
in r' is to be eliminated. Since {Bi[t/x\, F'} is consistent with A, And 
r(Bi[t/x],T') < k holds. According to the inductive premise, B\[t/x] in Bi[t/x],T' 
can not be eliminated. Thus, A\T is an R-termination. 

5. Similarly, we can prove the case of that B is 3x.B\. 

6. Finally, we prove that every one of Ai, ■ ■ ■ , A n in F can not be eliminated by the R- 
cut rule. For each A^, k = 1, • ■ ■ , n, the R-cut rule is applied only in the circumstance 
that there exists B, such that Ai, ■ ■ ■ , A^^A^ h B, Aj, h P, and P, ■ ■ ■ , A n h 
P holds, and P in A|P, and Ak + i, • ■ ■ , A n is to be eliminated. Since T is consistent 
with A, {P, ^4fe+i, • • • , A n } is also consistent with A, Furthermore, P is an atomic 
formula or the negation of an atomic formula. We know that r(P, A^+i, ■ ■ ■ , A n ) < k 
holds. According to the item 1, we know that A\P, Ak+i, • • • , A n is an R-termination. 
So P can not be eliminated. Therefore, the R-cut rule can not be applied. □ 

Theorem 6.1 

The R-calculus is reachable. 

Proof: Let A | V be a given R-configuration, where T is a finite set of sentences, and A 
is an R-condition of V. Consider the simple case that A contains only one element A. Let 
T' be a maximal contraction of T by A. For every B in T — F', by the lemma 6.1, there 
exists a sequence of R-transitions at the end of which B is eliminated. Since r — F' is a 
finite set of sentences, the above the sequences can be concatenated to form a sequence of 
R-transitions: 

a | r ^* a I r 

where A | F' is an R-termination by the lemma 6.2. □ 

Definition 6.2 R-completeness 

Let A | T be any R-configuration, where F is a specification and A is R-condition of 

r. 

The R-calculus is R-complete, if and only if for a given R-configuration A | F and 
every ideal user's rejection M, if M |= A, then there exists a transition sequence: 

a | r ^* a I r', 

where A | F' is a termination and 

F' = {A \M^A and AeF} 
holds. □ 

Theorem 6.2 

The R-calculus is R-complete. 

Proof: This theorem is a corollary of the lemma 3.1 and the theorem of R-reachability. 
□ 



7 Related works 



In 1985, Gardenfors and his colleagues introduced their theory of changes [4]. The theory 
addresses the proof-theoretic concepts of the expansion, the contraction, and the revision 
in the scope of propositional logic. The maximal contraction given here can be viewed a 
special kind of AGM's contraction, but in the scope of the first order logic. The user's 
rejection is a corresponding model-theoretic concept of the maximal contractions [6,9]. 

The AGM's theory focuses on building the systems of the propositions of the expansion, 
the contraction and the revision, and on studying the properties of these systems [4,5]. The 
principal difference between the AGM's theory and The R-calculus is as the following: the 
aim of designing the R-calculus is to build a transition system that can deduce all maximal 
contractions from a given formal theory T and its user's rejection A. 

Finally, it is believed that using the methods given in [2], certain proper type theories 
based on the R-calculus can be constructed and the corresponding interactive tools can 
be implemented to develop the specifications . 

Acknowledgement: The author would like to take this chance to thank Dr. Zhang 
Yuping. His counter examples helped the author to find the current version of the definition 
of the necessary premise. 
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